1.1. These customer data processing principles (hereinafter the Principles) explain how Ipec Invest (Ipec OÜ) (hereinafter the Lender) collects and uses customer data and what the customer’s rights are.

 

1.2. The Principles apply to all customers, including customer relationships established before the publication or entry into force of these Principles.

 

1.3. Agreements and service terms concluded with the customer may contain additional or more specific data processing arrangements. In case of conflict, the service terms and agreement shall prevail insofar as they comply with applicable legislation.

 

1.4. The Lender processes customer data:

• to fulfil legal obligations (including national and EU legislation and supervisory guidelines);

• to conclude, perform, and ensure performance of an agreement with the customer;

• based on the customer’s consent;

• based on the Lender’s legitimate interest, primarily to protect its rights and provide services securely.

 

1.5. By entering into a customer relationship or expressing the wish to use the service, the customer confirms awareness of the data processing described in these Principles.

 

1.6. Ipec Invest (Ipec OÜ) implements appropriate organisational, physical, and IT security measures to protect customer data and requires the same level of protection from authorised processors.

 

1.7. Data is mainly collected in three ways:

• the customer provides the data directly;

• Ipec Invest (Ipec OÜ) makes inquiries from public registers and legally permitted sources;

• data arises during the performance of the agreement.

 

2.1. Customer data – information known to the Lender about the customer within the customer relationship, including personal and contact data, transaction data, and data obtained from lawful public sources or third parties.

 

2.2. Customer (data subject) – a person who applies for, uses, or has used the services of Ipec Invest (Ipec OÜ) or is otherwise related to the service (e.g., guarantor or collateral provider).

 

2.3. Processing – any operation performed with customer data (e.g., collection, storage, use, transfer, retention, deletion).

 

2.4. Lender – Ipec Invest (Ipec OÜ).

 

2.5. Data controller – Ipec Invest (Ipec OÜ).

 

2.6. Third party – a person who is not the customer, the Lender, or an authorised processor.

 

3.1. Customer data processing complies with the General Data Protection Regulation (EU) 2016/679, the Personal Data Protection Act, other applicable legislation, and these Principles.

 

3.2. The Lender ensures data security and restricts access to customer data only to employees who require it for their duties.

 

3.3. Employees and partners with access to customer data must maintain confidentiality even after the end of the customer or employment relationship.

 

3.4. Customer data is processed purposefully and in accordance with the principle of data minimisation – only to the extent necessary to achieve the purposes described herein.

 

3.5. Data may be transferred to authorised processors and third parties based on legal grounds or the customer’s consent.

 

4.1. Ipec Invest may process, among other things, the following data:

• Personal data (e.g., name, personal identification code, ID document details) – for identity verification;

• Contact data (e.g., phone, email, address) – for communication and service-related notifications;

• Education and employment data (e.g., workplace, position, status) – for creditworthiness analysis and offering suitable services;

• Data on business activity and origin of assets – for prevention of money laundering and terrorist financing;

• Financial data (e.g., income, liabilities, previous payment behaviour, contract performance information) – for assessing solvency, managing risks, and evaluating service suitability;

• Data obtained in fulfilling legal obligations (e.g., information received from authorities when responding to inquiries) – for reliability assessment and compliance.

 

4.2. In addition, customer data may be processed for:

• contract administration (including payment monitoring, debt collection, updating data);

• internal reporting, statistics, and service development;

• background checks and verification of customer-provided data, including inquiries from public registers and legally permitted third parties.

 

5.1. The Lender may transfer customer data (excluding special categories of personal data without legal basis) to:

• partners necessary for service provision (e.g., IT, communication, postal, translation service providers) and persons related to the agreement (e.g., guarantors, collateral providers);

• register holders and credit information providers to ensure responsible lending and assess payment behaviour;

• a new creditor in case of assignment of claims;

• Estonian or foreign credit and financial institutions when necessary for reliability assessment or AML/CTF compliance;

• payment default registers and other authorised recipients in case of breach of contract, within the limits permitted by law.

 

5.2. The payment default register may be maintained, for example, by AS Creditinfo Eesti (registry code 10256137), if there is a legal basis for transferring the data.

 

6.1. The Lender retains customer data only as long as necessary to fulfil processing purposes, legal obligations, or protect its rights.

 

6.2. Generally, data is retained until the expiration of the limitation period for claims, unless legislation provides otherwise.

 

6.3. Data collected based on consent is retained until consent is withdrawn or a deletion request is granted, unless the Lender has another legal basis for retention.

 

7.1. The customer has the right to:

• receive information about the processing of their data and access their data;

• request correction of inaccurate data;

• in certain cases, request deletion of data or restriction of processing;

• object to processing when based on legitimate interest;

• contact the Lender with explanations or complaints at: info@ipecinvest.ee.

 

7.2. The Lender responds as soon as possible, but no later than within one (1) month of receiving the request. The response time may be extended in cases permitted by law.